# Copyright (C) 2005 Tresys Technology, LLC policy_module(init,1.0) ######################################## # # Declarations # # # init_t is the domain of the init process. # type init_t; domain_make_domain(init_t) role system_r types init_t; # # init_exec_t is the type of the init program. # type init_exec_t; domain_make_entrypoint_file(init_t,init_exec_t) # # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. # type initctl_t; files_make_file(initctl_t) filesystem_tmpfs_associate(initctl_t) devices_create_dev_entry(init_t,initctl_t,fifo_file) # # init_var_run_t is the type for /var/run/shutdown.pid. # type init_var_run_t; files_make_daemon_runtime_file(init_var_run_t) type initrc_t; domain_make_domain(initrc_t) role system_r types initrc_t; type initrc_exec_t; domain_make_entrypoint_file(initrc_t,initrc_exec_t) type initrc_devpts_t; filesystem_associate(initrc_devpts_t) filesystem_noxattr_associate(initrc_devpts_t) terminal_make_pseudoterminal(initrc_t,initrc_devpts_t) type initrc_var_run_t; files_make_daemon_runtime_file(initrc_var_run_t) type initrc_state_t; files_make_file(initrc_state_t) type initrc_tmp_t; files_make_temporary_file(initrc_tmp_t) type run_init_t; domain_make_domain(run_init_t) type run_init_exec_t; domain_make_entrypoint_file(run_init_t,run_init_exec_t) ######################################## # # Init local policy # # Re-exec itself allow init_t init_exec_t:file { getattr read execute execute_no_trans }; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; files_create_daemon_runtime_data(init_t,init_var_run_t) # Run init scripts. this is ok since initrc # is also in this module allow init_t initrc_t:process transition; allow init_t initrc_exec_t:file { getattr read execute }; allow init_t self:fifo_file { read write ioctl }; kernel_transition_from(init_t,init_exec_t) kernel_sigchld_from(init_t) # If you load a new policy that removes active domains, processes can # get stuck if you do not allow unlabeled processes to signal init # If you load an incompatible policy, you should probably reboot, # since you may have compromised system security. kernel_unlabeled_sigchld_from(init_t) kernel_set_selinux_boolean(init_t) kernel_read_system_state(init_t) kernel_read_hardware_state(init_t) kernel_share_state(init_t) terminal_use_all_terminals(init_t) domain_signal_all_domains(init_t) domain_kill_all_domains(init_t) domain_all_init_domains_transition(init_t) files_modify_system_runtime_data(init_t) # file descriptors inherited from the rootfs. files_ignore_modify_rootfs_file(init_t) files_ignore_modify_rootfs_device(init_t) libraries_use_dynamic_loader(init_t) libraries_read_shared_libraries(init_t) corecommands_chroot(init_t) corecommands_execute_general_programs(init_t) corecommands_execute_system_programs(init_t) logging_send_system_log_message(init_t) selinux_read_config(init_t) miscfiles_read_localization(init_t) ######################################## # # the following seem questionable # libraries_modify_dynamic_loader_cache(init_t) files_create_runtime_system_config(init_t) authlogin_modify_login_records(init_t) logging_modify_system_logs(init_t) # Use capabilities. old rule: allow init_t self:capability ~sys_module; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config # kill: now provided by domain_kill_all_domains() # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() # Modify utmp. allow init_t initrc_var_run_t:file { getattr read write setattr }; ifdef(`TODO',` # for mount points allow init_t file_t:dir search; ') dnl end TODO ######################################## # # Init script local policy # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability ~{ sys_admin sys_module }; allow initrc_t self:passwd rootok; # Allow IPC with self allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; allow initrc_t self:fifo_file { read write ioctl }; allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }; allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir }; allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown }; allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown }; files_create_daemon_runtime_data(initrc_t,initrc_var_run_t) allow initrc_t initrc_tmp_t : file { create ioctl read getattr lock write setattr append link unlink rename }; allow initrc_t initrc_tmp_t : dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir }) kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) kernel_read_network_state(initrc_t) kernel_read_ring_buffer(initrc_t) kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_hardware_state(initrc_t) kernel_modify_hardware_config_option(initrc_t) kernel_read_all_sysctl(initrc_t) kernel_modify_all_sysctl(initrc_t) kernel_get_selinux_enforcement_mode(initrc_t) kernel_list_usb_hardware(initrc_t) # for lsof which is used by alsa shutdown: kernel_ignore_get_message_interface_attributes(initrc_t) filesystem_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy filesystem_mount_all_filesystems(initrc_t) filesystem_unmount_all_filesystems(initrc_t) filesystem_remount_all_filesystems(initrc_t) filesystem_get_all_filesystems_attributes(initrc_t) corenetwork_network_tcp_on_all_interfaces(initrc_t) corenetwork_network_raw_on_all_interfaces(initrc_t) corenetwork_network_udp_on_all_interfaces(initrc_t) corenetwork_network_tcp_on_all_nodes(initrc_t) corenetwork_network_raw_on_all_nodes(initrc_t) corenetwork_network_udp_on_all_nodes(initrc_t) corenetwork_network_tcp_on_all_ports(initrc_t) corenetwork_network_udp_on_all_ports(initrc_t) corenetwork_bind_tcp_on_all_nodes(initrc_t) corenetwork_bind_udp_on_all_nodes(initrc_t) devices_get_random_data(initrc_t) devices_get_pseudorandom_data(initrc_t) devices_add_entropy(initrc_t) devices_set_pseudorandom_seed(initrc_t) devices_read_framebuffer(initrc_t) devices_read_realtime_clock(initrc_t) devices_read_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t) devices_set_all_character_device_attributes(initrc_t) storage_get_fixed_disk_attributes(initrc_t) storage_set_fixed_disk_attributes(initrc_t) storage_set_removable_device_attributes(initrc_t) terminal_use_all_terminals(initrc_t) terminal_reset_physical_terminal_labels(initrc_t) bootloader_read_kernel_symbol_table(initrc_t) domain_kill_all_domains(initrc_t) domain_read_all_domains_process_state(initrc_t) domain_all_daemon_domains_transition(initrc_t) domain_all_system_domains_transition(initrc_t) domain_use_widely_inheritable_file_descriptors(initrc_t) libraries_modify_dynamic_loader_cache(initrc_t) libraries_use_dynamic_loader(initrc_t) libraries_read_shared_libraries(initrc_t) libraries_execute_library_scripts(initrc_t) files_get_all_file_attributes(initrc_t) files_remove_all_tmp_data(initrc_t) files_remove_all_lock_files(initrc_t) files_remove_all_daemon_runtime_data(initrc_t) files_read_general_system_config(initrc_t) files_create_runtime_system_config(initrc_t) files_manage_system_lock_files(initrc_t) files_execute_system_config_script(initrc_t) files_read_general_application_resources(initrc_t) files_manage_pseudorandom_saved_seed(initrc_t) corecommands_execute_general_programs(initrc_t) corecommands_execute_system_programs(initrc_t) corecommands_execute_shell(initrc_t) logging_send_system_log_message(initrc_t) selinux_read_config(initrc_t) sysnetwork_read_network_config(initrc_t) modutils_read_kernel_module_loading_config(initrc_t) authlogin_modify_login_records(initrc_t) authlogin_modify_last_login_log(initrc_t) miscfiles_read_localization(initrc_t) logging_modify_system_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) optional_policy(`authlogin.te',` authlogin_pam_read_runtime_data(initrc_t) authlogin_pam_remove_runtime_data(initrc_t) ') tunable_policy(`distro_redhat',` kernel_set_selinux_enforcement_mode(initrc_t) files_create_boot_flag(initrc_t) # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. bootloader_create_runtime_data(initrc_t) ') dnl end distro_redhat ifdef(`TODO',` # Mount and unmount file systems. allow initrc_t { file_t default_t }:dir { read search getattr mounton }; allow initrc_t var_spool_t:file rw_file_perms; # Set device ownerships/modes. allow initrc_t xconsole_device_t:fifo_file setattr; # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. allow initrc_t admin_tty_type:chr_file rw_file_perms; # Read user home directories. allow initrc_t { home_root_t home_type }:dir r_dir_perms; allow initrc_t home_type:file r_file_perms; allow initrc_t udev_runtime_t:file rw_file_perms; # for lsof in shutdown scripts can_kerberos(initrc_t) dontaudit initrc_t krb5_conf_t:file write; allow initrc_t krb5_conf_t:file { getattr read }; # # Wants to remove udev.tbl # allow initrc_t device_t:dir rw_dir_perms; allow initrc_t device_t:lnk_file unlink; # # These rules are here to allow init scripts to su # optional_policy(`su.te', ` su_restricted_domain(initrc,system) role system_r types initrc_su_t; ') tunable_policy(`distro_debian', ` allow initrc_t { etc_t device_t }:dir setattr; # for storing state under /dev/shm allow initrc_t tmpfs_t:dir setattr; file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; ')dnl end distro_debian tunable_policy(`distro_redhat', ` # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. allow initrc_t boot_t:lnk_file rw_file_perms; allow initrc_t tmpfs_t:chr_file rw_file_perms; allow initrc_t tmpfs_t:dir r_dir_perms; # # readahead asks for these # allow initrc_t etc_aliases_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read }; ')dnl end distro_redhat # # Shutting down xinet causes these # # Fam dontaudit initrc_t device_t:dir { read write }; # Rsync dontaudit initrc_t mail_spool_t:lnk_file read; # for lsof which is used by alsa shutdown dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; kernel_ignore_get_message_interface_attributes(initrc_t) ') dnl end TODO ################################# # # Run_init local policy # kernel_get_selinuxfs_mount_point(run_init_t) kernel_validate_selinux_context(run_init_t) kernel_compute_selinux_av(run_init_t) kernel_compute_create(run_init_t) kernel_compute_relabel(run_init_t) kernel_compute_reachable_user_contexts(run_init_t) tunable_policy(`targeted_policy',` # targeted/unconfined stuff ',` allow run_init_t initrc_t:process transition; allow run_init_t initrc_exec_t:file { getattr read execute }; dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh }; # for utmp allow run_init_t initrc_var_run_t:file { getattr read write }; allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file { getattr read write }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; files_ignore_search_all_directories(run_init_t) filesystem_get_persistent_filesystem_attributes(run_init_t) devices_ignore_list_device_nodes(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t) domain_use_widely_inheritable_file_descriptors(run_init_t) corecommands_execute_general_programs(run_init_t) corecommands_execute_shell(run_init_t) files_read_general_system_config(run_init_t) libraries_use_dynamic_loader(run_init_t) libraries_read_shared_libraries(run_init_t) selinux_read_config(run_init_t) selinux_read_default_contexts(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) miscfiles_read_localization(run_init_t) logging_send_system_log_message(run_init_t) ') dnl end ifdef targeted policy ifdef(`TODO',` tunable_policy(`targeted_policy', ` domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; domain_trans(initrc_t, shell_exec_t, unconfined_t) ', ` domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) role sysadm_r types run_init_t; domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) allow run_init_t admin_tty_type:chr_file rw_file_perms; ') dnl endif targeted policy tunable_policy(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_make_entrypoint_file(run_init_t,initrc_exec_t) ') ') dnl end TODO